Wednesday, May 23, 2012

In this post, i will discuss two vulnerabilities that i have found in ResEdit 1.5.11-win32, a known resource editor. Since they are very similar, i will discuss them as if it is only one vulnerability.

It is a buffer overflow but what is different in this vulnerability is that the buffer is located in the .data section of ResEdit.exe. It is neither a stack-based nor a heap-based buffer.

The vulnerability occurs when ResEdit tries to copy names of named resource entries to an inadequate buffer.

In the image below, You can see how a normal named entry looks like.

You can see that the length field holds 0xC, which is the number of unicode characters of the string "KNOWNRESTYPE" ( no null terminators are used).

By placing a higher value in the length field and extending the string to be of matching length, we then have a buffer overflow. In the image below, i have used 0xF63 as the malicious length field.

Let's have a look at code in OllyDbg.

As you can see in the image above, there is a loop at 0x46A93F. In this loop, named entries are processed and each name is copied in an unsafe manner to the buffer at 0x4EB118 by calling the "_wcsncpy" function with the "count" parameter set to the value of the length field.